Build trust with Privacy in 2024

Demonstrate your compliance with one or more of 15+ global regulations like GDPR, CCPA/CPRA to earn trust and grow revenue with enterprise customers. 


Is this the year you grow with SOC 2?

There’s no better standard to baseline your information security and earn trust with a broad customer base.

AssuranceLab is a registered CPA and CA firm ready to help you earn trust with SOC 2 in the US and globally.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.


You’re in great company. We work with hundreds of fast-growing software companies across 13 countries, ranging in size from 2 to 26,000 employees.


You’re in great company. We work with hundreds of fast-growing software companies across 20+ countries, ranging in size from 2 to 26,000+ employees.


Privacy compliance

that earns trust

Privacy attestations for GDPR, CCPA/CPRA, and other regional regulations give peace of mind to enterprise

AssuranceLab is a certified CPA and CA firm ready to help you earn trust with privacy attestations globally.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.



Clear reasons to act



A globally recognised attestation
report to build trust at scale


Customer comfort
and trust

A detailed report addressing crucial
customer due diligence questions


Minimal business

Agile and flexible audits that help minimise the disruption while meeting client deadlines


Choice of

Set your target to include one or many privacy regulations in trust-building attestations



Combine one or more privacy attestations with other compliance goals like SOC 2 and HIPAA 


Recognition of
partial progress

The ability to achieve a privacy attestation report
with outstanding issues or process improvements


Four Steps to Privacy

left arrow right arrow
Privacy Readiness Assessment

Privacy Readiness Assessment

We built Pillar so you can assess your compliance with 30+ global frameworks. Select your choice of specific privacy regulations like GDPR, and privacy standards like SOC 2 Privacy and ISO 27701 to get a tailored view of your controls and any gaps. And, Pillar is always free.

Remediation Support

Remediation Support

We guide you as you address any gaps and implement fit-for-purpose processes that align with your culture, nature of data collected, and your specific privacy requirements. Our flexible and responsive team helps you work through it at your own pace.

Privacy Type 1 Audit

Privacy Type 1 Report

We conduct the Type 1 audit at your pace to help you minimise disruption and learn through the process. Our iterative reviews and feedback helps you stay on track and achieve real operational benefits for your company. The Type 1 demonstrates your privacy-by-design to achieve your chosen regulations and standards.

Privacy Type 2 Audit

Privacy Type 2 Report

We conduct the Type 2 audits either at your pace within a defined timeline to suit your preference, or increasingly with our continuous audit practices that conduct the audits in the background throughout the year to minimise disruption and increased confidence in your compliance. The Type 2 demonstrates your effective operation of privacy controls to achieve your chosen regulations and standards.

Get started your way.
We’re ready when you are!


Your questions answered

Is an attestation report the same as compliance?

No, there are differences. Regulations like GDPR are mandatory obligations that apply if your data processing activities meet the criteria of the regulation. The regulation sets out the detailed compliance requirements. If you operate in accordance with those requirements, you are compliant, regardless of whether you issue an attestation report. 

An attestation report is used to provide third parties with evidence of your compliance with an independent audit that earns and maintains trust in your compliance. That’s especially important where your customers rely on your compliance for their own compliance, eg. If they are using your software or services with the personal data of their customers. 

Which privacy regulations do I need to comply with?

There are many global privacy regulations that may apply to your data processing activities.

For regulations like the GDPR, Australian Privacy Principles and New Zealand Privacy Act, there is no materiality level applied. That means you need to comply with the regulations if you collect any personal data from citizens of the EU, Australia or New Zealand respectively.

Regulations like the California Privacy Act (CCPA/CPRA) and several other American state-specific regulations, there is a materiality level applied to the scale of data collected and in some cases the company turnover and whether the sale of personal data is conducted.

The International Association of Privacy Professionals (IAPP) has some great resources to guide you on your requirements, including this helpful mapping of global regulations.

Do I need to engage legal counsel?

It is common to engage legal counsel to interpret the requirements of the regulation and how they apply to your data processing activities and operations. This is not required by the regulation itself, however. Many organisations, especially with a simpler or smaller scope of handling personal data find they can follow the principals and requirements of the regulation without needing legal counsel.

What are Type 1 and Type 2 reports?

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the relevant privacy regulatory clauses.

A Type 2 report attests to your compliance by both design and operation over a period of time. It covers a period between 3-12 months to show your systems and processes have been operated consistently to satisfy the relevant privacy regulatory clauses.

Usually, a Type 1 report is issued first to baseline compliance. That marks the start of the live and recurring Type 2 audit periods for reports issued annually.

How do regulations based on principles work, like GDPR?

Regulations like the GDPR and other similar privacy rights and acts, are based on principles. That provides flexibility and room for judgment when it comes to applying those regulations. It recognises that there is subjectivity and varied circumstances that apply when handling personal data. 

The articles of the GDPR and other privacy regulations give more specific guidance and some hard requirements driven by those overarching principles designed to protect consumers interests.

How do I write a compliant privacy policy?

We developed PolicyTree to address the challenge our clients face when defining and documenting compliance policies. PolicyTree collects data points about the privacy regulations that apply, your data processing activities and systems, and then branches out into what’s relevant to your privacy practices. You select the components that apply and input details related to your preferences or current state of operation to generate a set of policies, including a Privacy Statement and Privacy Policy document. This links through to the relevant acts and clauses from 16 privacy regulations including the GDPR.


Earn trust with other leading standards


Blended Audits

Combine two or more compliance frameworks into a single blended audit process without duplication to scale trust, not costs and effort.



The de facto global and best practice standard for proving secure handling of electronic protected health information (ePHI).


Custom Frameworks

Manage any compliance obligations from customers, regulators or your own internal risk requirements with custom frameworks.


ISO 27001

An international framework to apply a structured and best practice methodology for managing information security.



A comprehensive, best practice standard for cloud security to achieve Level Two accreditation in the security, trust and risk (STAR) register.


Consumer Data Right

Access consumer data in Australia’s economy-wide open data regime with Consumer Data Right accreditation.


ESG Reporting

A flexible and lightweight framework to report up to 500+ positive impact activities supporting environmental, social and governance (ESG) objectives.



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.



Trust services criteria to satisfy a broad customer base globally for security, availability, confidentiality, privacy and processing integrity.



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.


Get started your way

We’re ready when you are

Can’t wait?

Our free products help you get started without any fuss:


The always-free GRC platform that powers trust for hundreds of technology companies.

policytree-tab-button-normal (1)

Our 40-minute policy generator; a better alternative to cookie-cutter templates.